CVE-2024-5133 is a critical security vulnerability identified in lunary-ai/lunary version 1.2.4, categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw arises because the password recovery tokens, which are meant to be confidential and used only during password reset workflows, are inadvertently included in the API response of the GET /v1/users/me/org endpoint. This endpoint is designed to list all users within a team or organization. Since the recovery_token attribute is exposed in this response, any authenticated user within the same team can capture the recovery tokens of other users. Possession of these tokens allows an attacker to reset the victim's password without their consent, effectively taking over the victim’s account. The vulnerability does not require elevated privileges beyond normal authentication, nor does it require user interaction, making it highly exploitable. The CVSS v3.0 score of 9.1 reflects the high impact on confidentiality and integrity, with network attack vector, low attack complexity, and no privileges or user interaction required. Although no public exploits are currently known, the vulnerability presents a severe risk to organizations relying on lunary-ai/lunary for team collaboration or identity management. The root cause is a design flaw in the API that exposes sensitive recovery tokens in a context where they should not be accessible. This indicates insufficient data filtering and access control in API responses. The vulnerability can lead to unauthorized account takeovers, loss of data confidentiality, and potential lateral movement within affected environments.

For European organizations, this vulnerability poses a significant risk to user account security and data confidentiality. Organizations using lunary-ai/lunary for team collaboration or identity management could face unauthorized access to user accounts, leading to potential data breaches, insider threat exploitation, and disruption of business operations. The ability to reset passwords without consent undermines trust in the platform and can facilitate further attacks such as privilege escalation or data exfiltration. Given the critical severity and ease of exploitation, attackers could quickly compromise multiple accounts within an organization, especially in environments with many users sharing the same team space. This could impact sectors with sensitive or regulated data, including finance, healthcare, and government entities in Europe. Additionally, compromised accounts could be used to bypass multi-factor authentication if recovery tokens allow password resets without additional verification. The exposure of sensitive tokens also raises compliance concerns under GDPR, as unauthorized access to personal data could lead to regulatory penalties. The lack of known exploits in the wild does not diminish the urgency for European organizations to address this vulnerability promptly.

1. Immediately audit API responses to ensure that sensitive attributes such as recovery_token are not included in any user or team listing endpoints. 2. Remove the recovery_token attribute from the GET /v1/users/me/org endpoint and any other API responses accessible to authenticated users. 3. Implement strict access controls and role-based permissions to restrict who can view sensitive user information, especially password reset tokens. 4. Enhance the password reset workflow to require additional verification steps beyond possession of a recovery token, such as email confirmation or multi-factor authentication. 5. Monitor logs for unusual password reset activity or API calls that could indicate exploitation attempts. 6. Coordinate with lunary-ai to obtain and apply patches or updates that address this vulnerability once available. 7. Educate users about the importance of securing their accounts and recognizing suspicious password reset notifications. 8. Consider implementing anomaly detection to identify abnormal API usage patterns that may signal exploitation. 9. Review and update incident response plans to include scenarios involving account takeover via exposed recovery tokens. 10. For organizations with sensitive data, consider additional compensating controls such as network segmentation and enhanced monitoring until the vulnerability is fully remediated.